欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

第十四周-day56-iptables(下)

程序员文章站 2024-03-21 09:46:52
...

day56-第十三周-iptables(下)

相关链接:
https://blog.csdn.net/qq_21231413/article/details/88171590
NAT端口转发设置:
https://www.cnblogs.com/kevingrace/p/5865792.html

第十四周-day56-iptables(下)

1.ICMP协议

简介:

IP协议是一种面向无连接的数据报协议,它是一种不可靠的协议,它不提供任何差错检验。因此网际报文控制协议Internet Control Message Protocol)ICMP出现了,ICMP协议用于IP主机、路由器之间传递控制消息,这里的控制消息可以包括很多种:数据报错误信息、网络状况信息、主机状况信息等,虽然这些控制消息虽然并不传输用户数据,但对于用户数据报的有效递交起着重要作用,从TCP/IP的分层结构看ICMP属于网络层,它配合着IP数据报的提交,提高IP数据报递交的可靠性。ICMP是封装在IP数据报中进行发送的,从这点看来,ICMP协议又有点像一个传输层协议,其实不然,因为ICMP报文的目的不是目的主机上的某个应用程序,它不为应用程序提供传输服务,ICMP报文的目的是目的主机上的网络层处理软件。简单的来说,ICMP协议就像奔波于网络中的一名医生,它能及时检测并汇报网络中可能存在的问题,为解决网络错误或拥塞提供了最有效的手段

ICMP报文有很多类型,不同的类型有不同的代码。最常用的类型是主动请求为8,主动请求的应答为0。

网络出问题了使用ping命令,ping命令是基于ICMP协议工作的,ICMP报文是封装在IP包里面的。

第十四周-day56-iptables(下)
第十四周-day56-iptables(下)
第十四周-day56-iptables(下)

NEW

ESTABLISHED

RELATED

INVALID

2.准许或禁止ping

现在是可以ping通的

[aaa@qq.com ~]# ping 10.0.0.61
PING 10.0.0.61 (10.0.0.61) 56(84) bytes of data.
64 bytes from 10.0.0.61: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from 10.0.0.61: icmp_seq=2 ttl=64 time=0.038 ms
^C
--- 10.0.0.61 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.038/0.051/0.064/0.013 ms
[aaa@qq.com ~]# ping 172.16.1.61
PING 172.16.1.61 (172.16.1.61) 56(84) bytes of data.
64 bytes from 172.16.1.61: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 172.16.1.61: icmp_seq=2 ttl=64 time=0.039 ms
^C
--- 172.16.1.61 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.039/0.059/0.079/0.020 ms
[aaa@qq.com ~]# 

添加icmp,禁止ping

[aaa@qq.com ~]# iptables -I INPUT -p icmp --icmp-type any -j DROP 	#禁止ping
[aaa@qq.com ~]# 
[aaa@qq.com ~]# ping 10.0.0.61	#ping不通了
PING 10.0.0.61 (10.0.0.61) 56(84) bytes of data.
^C
--- 10.0.0.61 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

[aaa@qq.com ~]# ping 172.16.1.61	#ping不通了
PING 172.16.1.61 (172.16.1.61) 56(84) bytes of data.
^C
--- 172.16.1.61 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2001ms

[aaa@qq.com ~]# ping 127.0.0.1	#ping不通了
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1003ms

3.限制访问频率

第十四周-day56-iptables(下)

iptables -I INPUT -s 10.0.1.0/24 -p icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 5 -j ACCEPT

4.永久保存规则

[aaa@qq.com ~]# cat /etc/sysconfig/iptables	#防火墙的默认规则
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[aaa@qq.com ~]# iptables-save 	#当前的防火墙规则
# Generated by iptables-save v1.4.21 on Wed Jul  3 09:28:21 2019
*filter
:INPUT ACCEPT [93:6196]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69:7412]
-A INPUT -s 10.0.1.0/24 -p icmp -m icmp --icmp-type 8 -m limit --limit 6/min -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
COMMIT
# Completed on Wed Jul  3 09:28:21 2019
# Generated by iptables-save v1.4.21 on Wed Jul  3 09:28:21 2019
*nat
:PREROUTING ACCEPT [39:2360]
:INPUT ACCEPT [2:104]
:OUTPUT ACCEPT [44:3050]
:POSTROUTING ACCEPT [44:3050]
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 10.0.0.61
-A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.61
COMMIT
# Completed on Wed Jul  3 09:28:21 2019
[aaa@qq.com ~]# iptables-save   >/etc/sysconfig/iptables
[aaa@qq.com ~]# 
[aaa@qq.com ~]# iptables-restore < /etc/sysconfig/iptables
[aaa@qq.com ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  10.0.0.0/24          0.0.0.0/0            icmptype 8 limit: avg 6/min burst 5
ACCEPT     icmp --  10.0.1.0/24          0.0.0.0/0            icmptype 8 limit: avg 6/min burst 5
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 255

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[aaa@qq.com ~]# systemctl restart iptables.service 

注意事项:

  • iptables-save >/etc/sysconfig/iptables
  • iptables 是关闭状态 stop/disable
  • 关闭时不要使用iptables -nL查看状态 ,一查看就打开了
  • 查看防火墙状态:systemctl is-active iptables

5.生产环境防火墙配置

1.逛公园:防火墙默认的规则 默认规则都是允许(Chain INPUT (policy ACCEPT))

2.电影院:默认规则是拒绝DROP 凭票进入

第十四周-day56-iptables(下)
第十四周-day56-iptables(下)
第十四周-day56-iptables(下)

5.1 允许SSH登录端口进入

[aaa@qq.com ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT  

5.2 允许机回环Io接口数据流量流出与流入

[aaa@qq.com ~]# iptables -A OUTPUT -o lo -j ACCEPT 
[aaa@qq.com ~]# iptables -A INPUT -i lo -j ACCEPT 

-i input 与 INPUT链一起使用

-o output 与 OUTPUT 链一起使用

5.3准许icmp协议通过

[aaa@qq.com ~]# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

5.4准许用户使用的端口通过 80,443

#先把信任网段删掉再进行测试
[aaa@qq.com ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
[aaa@qq.com ~]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT 

#俩台虚拟机上测试
[aaa@qq.com ~]# nc -l 80
垃
鸡
[aaa@qq.com ~]# telnet 10.0.0.61 80
Trying 10.0.0.61...
Connected to 10.0.0.61.
Escape character is '^]'.
垃
鸡

5.5 允许用户与服务器建立连接

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

5.6 开启信任的IP网段

[aaa@qq.com ~]# iptables -A INPUT -s 10.0.0.0/24 -p all -j ACCEPT 
[aaa@qq.com ~]# iptables -A INPUT -s 172.16.1.0/24 -p all -j ACCEPT 

5.7 修改默认规则

[aaa@qq.com ~]# iptables -P INPUT DROP
[aaa@qq.com ~]# iptables -P FORWARD DROP
[aaa@qq.com ~]# iptables -P OUTPUT ACCEPT

查看设置的规则

[aaa@qq.com ~]# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0           
ACCEPT     all  --  172.16.1.0/24        0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

6.NAT 表

nat表
PREROUTING 处理用户请求中的目的地址 目的端口 端口转发 ip映射
POSTROUTING 处理离开服务器的请求 源端口 源ip :**共享上网
OUTPUT 和主机放出去的数据包有关,改变主机发出数据包的目的地址

保存好之前的规则删除

[aaa@qq.com ~]# iptables-save >/root/iptables.rule
[aaa@qq.com ~]# ll iptables.rule 
-rw-r--r-- 1 root root 969 Jul  3 10:33 iptables.rule

跑机房修改默认规则:

第十四周-day56-iptables(下)

6.1 PREROUTING

第十四周-day56-iptables(下)

[aaa@qq.com ~]# #iptables -t nat -A PREROUTING -d 10.0.0.61 -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.51:22
[aaa@qq.com ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            10.0.0.61            tcp dpt:8080 to:10.0.0.51:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24         !10.8.0.0/24          to:10.0.0.61
SNAT       all  --  172.16.1.0/24        0.0.0.0/0            to:10.0.0.61
[aaa@qq.com ~]# iptables -nL -t nat	#查看nat表
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            10.0.0.61            tcp dpt:9000 to:10.0.0.51:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24         !10.8.0.0/24          to:10.0.0.61
SNAT       all  --  172.16.1.0/24        0.0.0.0/0            to:10.0.0.61
[aaa@qq.com ~]# cat /proc/sys/net/ipv4/ip_forward	#查看防火墙是否打开
1
[aaa@qq.com ~]# lsmod |egrep 'nat|ipt|filter'	#检查
iptable_filter         12810  1 
xt_nat                 12681  3 
iptable_nat            12875  1 
nf_nat_ipv4            14115  1 iptable_nat
nf_nat                 26787  2 nf_nat_ipv4,xt_nat
nf_conntrack          133095  3 nf_nat,nf_nat_ipv4,nf_conntrack_ipv4
ip_tables              27126  2 iptable_filter,iptable_nat
ipt_REJECT             12541  0 
nf_reject_ipv4         13373  1 ipt_REJECT
libcrc32c              12644  3 xfs,nf_nat,nf_conntrack
#现在连接应该是不通,此刻需要添加一条内核优化
[aaa@qq.com ~]# #第一种方法:
[aaa@qq.com ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[aaa@qq.com ~]# cat /proc/sys/net/ipv4/ip_forward
1
[aaa@qq.com ~]# #第二种方法:
[aaa@qq.com ~]# echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf 

#让其生效
[aaa@qq.com ~]# sysctl -p

6.2 POSTROUTING

第十四周-day56-iptables(下)

#添加NAT共享上网命令
[aaa@qq.com ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.61
[aaa@qq.com ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.1.0/24        0.0.0.0/0            to:10.0.0.61

去db01上关闭网卡eth0

#关闭eth0网卡
[aaa@qq.com ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=no		#把eth0网卡关闭
IPADDR=10.0.0.51
PREFIX=24
GATEWAY=10.0.0.254
DNS1=10.0.0.254
或者
[aaa@qq.com ~]# ifdown eth0	#暂时将eth0网卡关闭
#可以利用m01进行ssh远程连接db01的内网地址
[aaa@qq.com ~]# ssh 172.16.1.51
Last login: Wed Jul  3 11:12:04 2019 from 10.0.0.1
[aaa@qq.com ~]# 


#修改eth1网卡网关
[aaa@qq.com ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=static
IPADDR=172.16.1.51
PREFIX=24
NAME=eth1
DEVICE=eth1
ONBOOT=yes
GATEWAY=172.16.1.61	#修改网关为m01的内网地址
DNS1=223.5.5.5	#DNS按原理来说会自动分配,如果不通的话就加入此条DNS解析即可
[aaa@qq.com ~]# systemctl restart network	#重启网卡
[aaa@qq.com ~]#
[aaa@qq.com ~]# ping baidu.com	#可以上网了
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=7.74 ms
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=127 time=11.8 ms
^C
--- baidu.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 7.249/9.136/11.833/1.812 ms
[aaa@qq.com ~]#

第十四周-day56-iptables(下)

7.防火墙小结

  • 防火墙4表5链
  • filter表 实现防火墙功能
  • nat 表 PREROUTING实现 端口转发
  • nat 表 POSTROUTING链实现 共享上网
相关标签: iptables 防火墙